Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe
-
Size
167KB
-
MD5
f1d96c5821eb465ded1b71741495160b
-
SHA1
2fd76d480926bbf64e5d735eecece6e8cb321b8d
-
SHA256
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630
-
SHA512
b8881c880ab85392937265123285ba72111f9269b8b20a54546d84a20f00c710ef6e488b577dde46e4e4dfa2348a469610c999fb500b5f07fbce6f9d37fe5899
-
SSDEEP
3072:uyq1JTIDugFXJS5rCQGXTqmGxQHAHmBVUdaJnXTSnj2:mtwRFXTqVeAsVUEJG2
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1760-56-0x00000000003B0000-0x00000000003B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe 1760 a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1760 a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe"C:\Users\Admin\AppData\Local\Temp\a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1760